Added support for RFC7616 - HTTP Digest access authentication #1934
Conversation
FlorinPetriuc
force-pushed
the
master
branch
3 times, most recently
from
661bbb7
to
1b57e26
Compare
|
Awesome, thanks a lot! This is the CI error: |
|
Did you write that sha256 implementation, and if not we need to know where it came from to resolve any potential licensing issues |
FlorinPetriuc
force-pushed
the
master
branch
2 times, most recently
from
9582b4f
to
7c4db63
Compare
|
I am working on the CI errors now. The sha256 implementation is from here: https://github.com/B-Con/crypto-algorithms/blob/master/sha256.c, but I had to change the function names and protoypes to match the ones from openssl. |
FlorinPetriuc
force-pushed
the
master
branch
11 times, most recently
from
98ee0b4
to
ff7a9fb
Compare
|
CI seems to give this error which I am not sure how to go around: error: ./../docs/libcurl/libcurl-tutorial.3:628: use \fI before curl_slist_free_all(3) It is failing test 1140. Any suggestions? |
"This code is released into the public domain free of any restrictions. The author requests acknowledgement if the code is used, but does not require it. This code is provided free of any liability and without any quality claims by the author." Please mention that in the source like "Based on SHA-256 implementation by Brad Conte (brad AT bradconte.com)" and url. Also it is only little endian but we need big endian support as well. Also does this need to be taken into consideration: "Note that these are not cryptographically secure implementations. They have no resistence to side-channel attacks and should not be used in contexts that need cryptographically secure implementations."
Should be fixed in 753a5da, can you rebase on master and let the CI run again? |
FlorinPetriuc
force-pushed
the
master
branch
6 times, most recently
from
28948e9
to
48d20f0
Compare
FlorinPetriuc
force-pushed
the
master
branch
2 times, most recently
from
f9ba890
to
99a3318
Compare
|
I did the rebase. Hopefully the CI will complete successfully. I have changed the sha implementation and adapted the one from mbedtls (https://github.com/ARMmbed/mbedtls) which should be cryptographically secure. It should support both big and little endian. |
|
Ok. @bagder sha256 is now using an implementation released under apache 2.0 license, I don't know whether that's acceptable or not, it appears to have more requirements than MIT |
|
The Apache 2 license is inconvenient for us because it is considered incompatible with GPLv2, so a curl using a file with that code can't be linked with GPLv2 projects! |
|
What about the openssl implementation? I can look into porting that if it's ok. |
|
The ideal solution would be to use the sha256 implementation that's already in the TLS library that's most likely used as well, which is how the keypinning code does it. OpenSSL is also Apache 2 these days and before that they had another GPL incompatible license so that's not ideal either. The best licenses for us would be MIT or BSD. |
|
Alright. I will try to do it this week. |
|
Here's a BSD licensed sha256. |
FlorinPetriuc
force-pushed
the
master
branch
2 times, most recently
from
4f52aab
to
f2f3d2d
Compare
|
I added a public domain SHA256 implementation today. It's from libtomcrypt and it was released to public domain. It was easier to port that one. |
|
Awesome, can you look into creating a test case or two as well? I suppose this code path is triggered automatically based on the header contents, so there's really nothing particular to document? Maybe CURLOPT_HTTPAUTH.3 and CURLOPT_PROXYAUTH.3 at least needs a mention somewhere that we support the RFC7616 style starting with 7.57.0 ? |
|
Alright. Yes.. it is automatic. I'll add some test cases this week and update those 2 docs. |
FlorinPetriuc
force-pushed
the
master
branch
2 times, most recently
from
ab06088
to
cfe7b17
Compare
Signed-off-by: Florin <petriuc.florin@gmail.com>
Updated docs to include support for RFC7616 Signed-off-by: Florin <petriuc.florin@gmail.com>
|
Added some test cases that I thought were relevant. |
|
Finally, good work Florin :)
|
|
Thanks a lot @FlorinPetriuc for your hard work on this. Merged now! |
Added support for RFC7616 in curl client - HTTP Digest access authentication
Signed-off-by: Florin petriuc.florin@gmail.com